diff options
| author | Brian May <brian@linuxpenguins.xyz> | 2020-04-01 07:17:16 +1100 |
|---|---|---|
| committer | Brian May <brian@linuxpenguins.xyz> | 2020-04-01 07:34:56 +1100 |
| commit | 10c8c53f890a29bcb892bc2cdbd3d25f0c69e754 (patch) | |
| tree | b1df71355f39183a155d2d41dd892c428b0b9fb9 /data/CVE/2014.list | |
| parent | 3b1daa193bc95ff45777ce16eba78bb2c11e8b2d (diff) | |
lua-cgi - code is broken and cannot be exploited
As per bug #954300, the session.close function is broken. This means it
is not possible to save session data. This in turn means it there are no
concerns if the session id is made public because there is no sensitive
data associated with the session. So it doesn't matter if somebody
attempts to guess the session id because it doesn't reveal anything
useful.
This bug is trivial to resolve, however the fact that nobody is
complaining about this bug or trying to fix the bug would strongly
suggest that nobody is using session management with lua-cgi.
Diffstat (limited to 'data/CVE/2014.list')
| -rw-r--r-- | data/CVE/2014.list | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/data/CVE/2014.list b/data/CVE/2014.list index 9526615b5c..957d49fd15 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -19574,8 +19574,10 @@ CVE-2014-2877 CVE-2014-2876 RESERVED CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...) - - lua-cgi <unfixed> (bug #953037) + - lua-cgi <not-affected> (code is broken and cannot be exploited) NOTE: https://github.com/keplerproject/cgilua/issues/17 + NOTE: https://bugs.debian.org/953037 + NOTE: https://bugs.debian.org/954300 CVE-2014-XXXX [Insecure default permissions for ~/.virtualenvs and scripts] - virtualenvwrapper 4.3-1 (low; bug #745580) [wheezy] - virtualenvwrapper <no-dsa> (Minor issue) |